7.5

CVE-2017-6379

Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DrupalDrupal Version8.2.0
DrupalDrupal Version8.2.0 Updatebeta1
DrupalDrupal Version8.2.0 Updatebeta2
DrupalDrupal Version8.2.0 Updatebeta3
DrupalDrupal Version8.2.0 Updaterc1
DrupalDrupal Version8.2.0 Updaterc2
DrupalDrupal Version8.2.1
DrupalDrupal Version8.2.2
DrupalDrupal Version8.2.3
DrupalDrupal Version8.2.4
DrupalDrupal Version8.2.5
DrupalDrupal Version8.2.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.78% 0.511
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 1.6 5.9
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 5.1 4.9 6.4
AV:N/AC:H/Au:N/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

http://www.securityfocus.com/bid/96919
http://www.securitytracker.com/id/1038058
https://www.drupal.org/SA-2017-001
Third Party Advisory
Release Notes